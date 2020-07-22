THE University of York has launched an investigation after personal details of students, staff and alumni may have been stolen by hackers.

It said Blackbaud, which provides a customer relationship management system for the university, was hit by a ransomware attack in May 2020. However, it only informed the university on July 16, while the university only shared details of the breach yesterday (Tuesday).

The cybercriminal removed a copy of a subset of data from a number of their clients, which included the University of York.

A spokesperson for the university said yesterday: "We use this system to record engagement with members of the university community, including alumni, staff and students, and extended networks and supporters. Having undertaken a review of the information shared by Blackbaud mapped against our data, we are sharing details of this breach of Blackbaud’s systems with members of our community today."

The university confirmed that data stolen by the cybercriminal may have contained information including basic details such as name, title, gender, date of birth and student number; addresses and contact details; course and educational attainment details; professional details, such as the profession people work in; a record of engagement with alumni and fundraising activities; and information about people's interests they have provided to the university.

The university added that a detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement and third-party cyber security experts.

"Blackbaud have confirmed that the investigation found that no encrypted information, such as bank account details or passwords, was accessible," the spokesperson said.

"Blackbaud also confirmed that no credit card information formed part of the data theft."

The university said that in order to protect customers’ data and mitigate potential identity theft, Blackbaud paid the criminals an undisclosed amount as a ransom.

The company "received assurances from the cybercriminal that the data had been destroyed," the spokesperson commented.

The university is carrying out its own investigation.

It has informed the Information Commissioner’s Office (ICO) of the breach and is awaiting further guidance.

The spokesperson also said: "We are taking steps to understand how many other parties in the higher education and the wider not-for-profit sector have been affected.

"There is no need for our community to take any action at this time. As a best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities."

Blackbaud is one of the world’s largest providers of customer relationship management systems for not-for-profit organisations and the higher education sector.

The company has issued a statement saying: "In May of 2020, we discovered and stopped a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system. Prior to our locking the cybercriminalout, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly."